GR-11.1 Outsourcing

GR-11.1.1

Ancillary service providersG must undertake a thorough risk assessment of an outsourcingG proposal, before formally submitting the request for approval to the CBB and committing itself to an agreement.

Added: December 2018

GR-11.1.2

The risk assessment should — amongst other things — include an analysis of (i) the business case; (ii) the suitability of the outsourcing providerG including but not limited to the outsourcing provider's financial soundness, its technical competence, its commitment to the arrangement, its reputation, its adherence to international standards, and the associated country risk; and (iii) the impact of the outsourcingG on the licensee's overall risk profile and its systems and controls framework.

Added: December 2018

GR-11.1.3

OutsourcingG means an arrangement whereby a third party performs on behalf of a licensee an activity that was previously undertaken by the licensee itself (or in the case of a new activity, one which ordinarily would have been performed internally by the licensee). Examples of services that are typically outsourced include data processing, cloud services, customer call centres and back-office related activities.

Added: December 2018

GR-11.1.4

Ancillary service providersG must seek the CBB's prior written approval before committing to a new material outsourcingG arrangement and/or when the terms or conditions of the outsourcingG arrangement are altered.

(b) Contain sufficient detail to demonstrate that relevant risks are satisfactorily addressed; and

(c) Be made at least 6 weeks before the licenseeG intends to commit to the arrangement.

Added: December 2018

GR-11.1.5

Ancillary service providersG must retain ultimate responsibility for functions or activities that are outsourced. In particular, licenseesG must ensure that they continue to meet all their regulatory obligations with respect to outsourced activities.

Added: December 2018

GR-11.1.6

Once an activity has been outsourced, ancillary service providersG must continue to monitor the associated risks and the effectiveness of its mitigating controls. Ancillary service providers must inform its normal supervisory contact at the CBB if material problems are encountered with the outsourcing providerG . The CBB may direct the ancillary service providers to make alternative arrangements for the outsourced activity.

Added: December 2018

GR-11.1.7

Ancillary service providersG must maintain and regularly review contingency plans to enable them to set up alternative arrangements — with minimum disruption to business — should the outsourcingG contract be suddenly terminated or the outsourcing providerG fail.

Added: December 2018

GR-11.1.8

Ancillary service providersG must nominate a relevant approved person with day-to-day responsibility for handling the relationship with the outsourcing providerG and ensuring that relevant risks are addressed.

Added: December 2018

GR-11.1.9

A legally enforceable contract document must be available for any material outsourcingG arrangement. Where the outsourcing providerG interacts directly with a licensee's customersG , the contract must — where relevant — reflect the licensee's own standards regarding customer care.

Added: December 2018

GR-11.1.10

Mechanisms for the regular monitoring by licenseesG of performance against service level agreementG and other targets, and for implementing remedies in case of any shortfalls, must also form part of the agreement. Such reviews must take place at least every year.

Added: December 2018

GR-11.1.11

OutsourcingG agreements must ensure that the licensee'sG internal and external auditors have timely access to any relevant information they may require to fulfil their responsibilities. Such access must allow them to conduct on-site examinations of the outsourcing providerG , if required.

Added: December 2018

GR-11.1.12

Ancillary service providersG must also ensure that the CBB inspectors and appointed expertsG have timely access to any relevant information they may reasonably require to fulfil its responsibilities under the law. Such access must allow the CBB to conduct on-site examinations of the outsourcing providerG , if required.

Added: December 2018

GR-11.1.13

Where the outsourcing providerG is based overseas, the outsourcing providerG must confirm in the outsourcingG agreement that there are no regulatory or legal impediments to either the licensee's internal and external auditors, or the CBB inspectors and appointed expertsG , as appropriate.

Added: December 2018

GR-11.1.14

The outsourcing providerG must commit itself, in the outsourcingG agreement, to informing the licensee of any developments that may have a material impact on its ability to meet its obligations. These may include, for example, relevant control weaknesses identified by the outsourcing provider'sG internal or external auditors, and material adverse developments in the financial performance of the outsourcing providerG .

Added: December 2018

GR-11.1.15

Termination under any other circumstances allowed under the outsourcing agreement must give licenseesG a sufficient notice period in which they can effect a smooth transfer of the service to another provider or bring it back in-house.

Added: December 2018

GR-11.1.16

In the event of termination, for whatever reason, the agreement must provide for the return of all customer data — where required by licenseesG — or destruction of the records.